Cyber-crime is a growing national and global concern. In fact, according to the Cybersecurity & Infrastructure Security Agency (CISA), one in three homes in the United States have a computer infected with malicious software, 65% of Americans who went online received at least one online scam offer, and 47% of American adults have had their personal information exposed by cyber criminals.
The Secure Community Network is tracking multiple suspicious emails and phishing attempts across various communities throughout the U.S. Its Duty Desk is tracking more than 400 phishing or suspicious email incidents so far this year in the Jewish community nationwide. While an event has not happened in Tidewater, it is important to stay ahead of the threat and be aware of these types of attacks. Phishing, in its various forms is serious – the potential loss of data or compromise of sensitive Personally Identifiable Information can devastate an organization.
Following are some definitions of the various forms of phishing and some strategies on how to avoid becoming a victim.
– – – – – – – – – – – – – – – – – – – – – – – –
Phishing
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person. It is a form of social engineering in that the perpetrators use methods to trick unsuspecting victims into thinking the message is legitimate, thereby getting the reader to click a link that downloads malware, ransomware, or elicits PII through the completion of a web form.
– – – – – – – – – – – – – – – – – – – – – – – –
Spear Phishing
This is a technique closely aligned with phishing but is more insidious in that the perpetrators may pose as a CEO or procurement agent thereby adding gravity to the message. In these types of attacks, the fake CEO may ask for bank account information or ask the potential victim to wire money to a certain account. There is usually some urgency to the request. Additionally, the perpetrator may have enough information to target each potential victim with just enough facts to elicit the desired response. Another tactic is to send invoices that appear to be from a known vendor. These invoices may be loaded with malware or require the user to enter PII.
– – – – – – – – – – – – – – – – – – – – – – – –
Whale Hunting
This is a type of spear phishing attack that generally targets the executive level of the organization. The perpetrators usually target C-Suite executives using spear phishing methods.
– – – – – – – – – – – – – – – – – – – – – – – –
Smishing
Using fraudulent text messages designed to trick individuals into sharing sensitive data such as credit card numbers, bank account information, or PII.
– – – – – – – – – – – – – – – – – – – – – – – –
Don’t Be a Victim
All these attacks rely on someone taking an action either by clicking a malicious link or divulging sensitive data. Examine emails closely before clicking on any link or replying with sensitive data.
Hover over any link or any email address to see if the domain makes sense. Take a minute and think before you click on any link in a message. Ask the following questions before acting:
• Does this email make sense?
• Am I expecting this message from my CEO/Finance Director/Supervisor?
• Do the domains match the email address?
• Am I expecting this invoice from this vendor?
– – – – – – – – – – – – – – – – – – – – – – – –
Other safety actions
• Keep virus definitions and antivirus programs updated.
• When in doubt, call the alleged originator of the message for confirmation.
– – – – – – – – – – – – – – – – – – – – – – – –
Mike Goldsmith is the SCN Regional Security Advisor for Tidewater. He may be reached at MGoldmith@ujft.org.
-Mike Goldsmith